October 14
web application state
Posted by AjayJust the other day i started thinking about application state in our web application. HTTP is essentially a stateless protocol, which basically means that every request between the client and server is essentially a self contained unit with all the information required for each transactions embedded within the request.
Consider the figure above, that represents a typical Http model. Every HttpRequest will encode the information in the HttpRequest header and sends it over to the server which does processing and returns the response back as HTML.
But then there is more to Http than meets the eye. Http has been extended to allow state information to be stored. How many times has the word “session” been thrown around. What exactly is this session?
The HTTP model has three major scoped containers - HttpRequest, HttpSession and ServletContext. We will look at ServletContext some other time. HttpRequest of course works on a per request basis. All variables will have scope only for the lifetime of the request. HttpSession is a container where the scope of variable is essentially global. But how does this HttpSession work? The magic behind HttpSession is a concept called cookies and URL rewriting (if cookies are disabled).
Esentially there are three major ways to maintain the state between multiple stateless protocol requests.
- cookies - store state information client side, and send that state to server everytime a request is made
- hidden form fields - store data hidden in forms and send the form everytime a request is sent to the server
- URL rewriting - encode the state information within the URL. This is usually done using a jsessionid name value pair appended to the URL by the server at the end of each request.
Essentially once a cookie is created with session information, it is stored at the client, for future requests to look it up and regain the state. Alternatively using hidden form fields, the state itself can be transferred from one request to another. Last but not the least, URL rewriting can also do the trick.
Maintaining state is done by the servlet container like Tomcat. Tomcat maintains HttpSession either using client side cookies, or if cookies are disabled through URL rewriting.